Zoom Safety and Security: How Safe is Zoom to Install and Use?

Top Zoom security features to keep your calls safe

Before we cover Zoom features, add-ons, and strategies for security, we’ll take a look at the built-in security technology, including what encryption is used, what privacy policies they use, and how recordings are stored.

How Zoom protects your privacy

Zoom only stores information included on your user account profile, including your:

Zoom does not sell your personal data, no matter what type of entity you are. They do not monitor or store your meetings aside from cloud recordings for your use. They collect user data required to provide and improve their services, including a user’s IP address, OS, and device type. Read their entire privacy policy for more information on how they collect and use your information.

Zoom chat encryption

Zoom’s chat features are encrypted using Advanced Encryption Standard (AES-256) to ensure users have a secure line of communication between sender and recipient. Chat sessions are encrypted using both asymmetric and symmetric algorithms, and session keys are generated using a device-specific hardware ID so only your device can read the chat. This protects the chat from being intercepted, eavesdropped on, or otherwise tampered with.

Store Zoom recordings safely

Meeting recordings can be stored on the host’s local device or on Zoom’s cloud (with the Cloud Recording option added to your plan). After recordings are saved to your device, you can use an encryption software to protect the recording.

If you choose to use Zoom’s Cloud Recording add-on, meetings will be stored to their cloud. These meetings can be password protected or access can be restricted to people within your organization.

Zoom phone voicemail

Phone voicemail recordings use cloud storage. These are accessed through the Zoom client, which has a secured access. This keeps voicemails safe and means storage is handled on their end.

Zoom authentication flexibility

Zoom is compatible with multiple authentication methods, including SAML, OAuth, and Password-based. Each can be individually enabled or disabled for an account.

Zoom pairs with a variety of enterprise identity management platforms to make monitoring and managing access easy. Compatible services include Okta, Delinea (formerly Centrify), Microsoft Active Directory, Gluu, OneLogin, PingOne, and more.

OAuth-based provisioning works with Google or Facebook to make this extremely fast. You can also use an API call to pre-provision users from any database back-end, so universities and organizations can add users to their managed domains.

How to use Zoom meetings safely

On top of the built-in security technologies and settings, there are a number of features and strategies available to increase the safety of your meetings. Follow the strategies below to make sure it is secure and safe for you and your meeting participants.

1. Create Waiting Rooms for attendees

The Zoom Waiting Room feature funnels attendees into a waiting room prior to entering the meeting. The host controls when participants can enter the meeting, admitting them one at a time or all at once. You can choose to admit all participants or only guests (participants who are not on your Zoom account or are not signed in).

This feature can be used to screen participants before admitting them, including guests and team members. To get this running, learn how to enable, use, and customize the Waiting Room feature.

2. Require a meeting host before meeting start

Enabling this setting allows you to require the host to be present before the meeting will begin. Participants will wait to connect until the host has joined the meeting. This ensures that the host is always present from the start of the meeting, and can monitor and control the call.

If a malicious person gets into your call, the host will be able to remove them. Similarly, they can restrict access if a member has their mic unmuted and loud background noise. This is especially useful for calls with guests, as they are less predictable than team members.

3. Expel a participant or all participants

The host has the ability to remove an individual – or all – participants from a meeting. In the case that someone is disrupting the call, causing network issues and cannot correct it themselves, or any other issue, the host can expel them from the call. If there’s a problem with the entire call, they can also expel all users. This is useful if a meeting ID is compromised, as they can expel participants and lock the meeting. They can then invite people to a new meeting.

4. Lock a meeting

Locking a meeting restricts users from joining. Once all expected participants have joined, you can lock the meeting, ensuring that no one else can get in. It may seem unnecessary, but if anyone has access to the meeting ID, they can potentially join the meeting. You can expel them, but locking the meeting ensures this interruption never occurs.

5. Use screen share watermarks

Image Credit: Zoom Support

Screen share watermarks work by superimposing a portion of the participant’s email address onto the content they are sharing. If their email is admin@example.com, then admin will be imposed on the shared content by that user. This is a simple way of knowing immediately who is sharing content, as well as retroactively identifying the person responsible for sharing inappropriate or harmful content. With this feature enabled, participants are less likely to share harmful content. And you, as a host, have more recourse to control this action and follow up.

6. Use audio signatures

The audio signatures feature embeds each individual Zoom user’s credential as an audio signature. If an audio recording is leaked or made public, you can use this audio signature to easily identify the source of the leak. This feature helps you secure meetings and protect your intellectual property, competitive edge, and reputation. With this enabled, you can collaborate confidently with trust and peace of mind.

7. Control who can record meetings

Enable and disable a single participants ability to record a Zoom meeting. Alternatively, you can restrict all participants from recording. By restricting access to recording you will keep proprietary information safe, save storage space on unnecessary recordings, and secure your experience.

We recommend limiting recording access to a select few, and even an individual depending on the size of your organization. This way, you limit issues in the first place, and make isolating breaches simpler.

8. Password-protect your meetings

Password-protecting meetings may give users one additional step before joining, but it goes a long way towards keeping the meeting safe. Randomly generating passwords for each meeting keeps your meetings extremely secure. Passwords are sent out on invites to participants, but this ensures that anyone that gets access to the meeting ID won’t be able to get in without the password.

We recommend always password protecting your meetings, as it’s an added layer of protection with little additional work.

9. Restrict access based on email domain of attendee

You can enable a setting that only allows individuals with a specific email domain to join. This lets you restrict access to specific domains, such as those in your organization. This is great for meetings within your organization, and can be used for meetings between you and another company with multiple participants in each party.

By limiting access based on email domains, you ensure that no one else can access your meetings.

4 known Zoom security issues

Below are known issues related to using Zoom safely and securely. Most of these have been exploited with the rise of video-conferencing usage related to COVID-19. As more people are using the technology, more malicious actors are finding ways of exploiting the tool. The below issues are all known to Zoom, and are currently being addressed. They may even be solved at the time you are reading this. You can also see a chronological list of recent Zoom security problems along with what they are doing to address them.

See the main known security issues below:

1. Zoombombing

Zoombombing is when uninvited participants join a meeting with the intent of derailing, interrupting, and otherwise negatively impacting the meeting. This is often harmless trolling, but it can escalate to harassment in some cases. There are features and settings available to protect against Zoombombing.

In most cases, the person entering the meeting maliciously will share inappropriate content to meeting participants, including pornographic images, racists taunts, and similarly offensive or harmful content. The intent is to gain access to the meeting to disrupt the meeting and harass participants.

Typically, the people doing this are using networks to find, share, and use meeting ID numbers and passwords. They use this information to access meetings and typically use the screen sharing feature to share malicious and offensive content.

Requiring a password to access the meeting can protect against people joining. People that generate random meeting IDs or are sharing meeting IDs won’t be able to join. Randomly generating a new meeting ID for each meeting will ensure users can’t use the same meeting ID to gain repeated access to a meeting.

Restricting screen sharing permissions can also help keep this under control and ensure that if malicious participants gain access to your meeting, they can’t share their screen to other viewers.

2. Installer exploits

Recently, an exploit was found in the Zoom installer, which took over admin privileges to gain root access to a user’s device. This access could be exploited to install programs on the user’s device without them knowing. This includes being able to gain access to a user’s webcam and microphone. Zoom has pushed a silent update to Apple services to disable this, and have since worked to help close this exploit.

3. Data routing questions

Some users have concerns about how Zoom handles users’ data. Despite their privacy policy outlining the use cases for data they collect on participants, they were found to be sending data to Facebook, in some cases even when the user was not logged into their Facebook account.

Zoom also recently admitted that some calls were mistakenly routed through China, where the government is known to heavily monitor Internet use. This raises some concerns about the level of protection Zoom offers its users and the transparency around their privacy policies and how they actually use your data.

4. End-to-end encryption weaknesses

The Intercept broke an article at the end of March 2020, pointing out that contrary to what marketing materials state, they were not using true end-to-end encryption. Based on the way Zoom defines an ‘end’, they were claiming to be using end-to-end encryption, when they were in fact using TLS encryption.

While this type of transport encryption protects people from trying to access through your WiFi, it does not protect the data from the company handling your data – in this case, Zoom. While Zoom’s privacy policy ensures that they do not use this data for any purposes other than to operate and improve their service, their marketing materials claim that their service uses end-to-end encryption, which is misleading.

Zoom safety & security FAQs

Below are some other frequently asked questions about Zoom security and safety. These answer more direct, one-off questions that can help you learn more about safety features as well as tips to use the video-conferencing tool safer.

How safe is Zoom for the average user?

For most standard use cases, Zoom is safe to use. When handling confidential, proprietary, or personal health information, you should always consider the security of the service you use. Basic plans may not be adequate, but advanced plans may meet the security standards you need to secure your data.

For most casual users, Zoom is safe to use as long as you follow their safety precautions, use recommended security measures, and enable added features.

Is Zoom communication encrypted?

Yes. All Zoom meetings, chat, webinars, presentation content at the application layer, and screen-shared content uses Advanced Encryption Standard (AES-256). The network connection can also use a 256-bit TLS encryption standard.

Users are also authenticated based on how they access the app or service. These often have their own encryption methods.

Is Zoom safe to install?

Shortly after increased use of Zoom due to COVID-19, an exploit was found in the installer, which left the user’s device open to exploitation during install. This includes the hacker being able to gain access to the user’s microphone and webcam. Zoom pushed a silent update to their Apple products to close this exploit.

For the average user, downloading and installing the app is safe. Installing from the launcher is still one of the safest ways to install the app.

Is Zoom safe for confidential communications?

Zoom Meetings is not designed for specific use cases such as confidential, sensitive, and other protected information. Certain professions and use cases are not ideally suited for Zoom’s free or basic plan, including healthcare, government, or law, to name a few.

Is Zoom video conferencing secure?

Zoom video conferencing uses the same encryption as their meeting and chat – Advanced Encryption Standard (AES-256). Zoom video conferencing also has additional security features that give the host control over securing the meeting, such as password protection, locking the meeting, and more.

Zoom is safe to use for the average user, and for most work and business purposes. Depending on the nature of your business and the confidential nature of the information you are storing, you may want a higher security plan or to use an alternative. The video-conferencing app also has many features that can be used to add levels of security to your meetings, including password protecting meetings, locking meetings, restricting screen sharing, and more.

If you are still not sure Zoom is right for you, you can check out alternative video calling and conferencing solutions.